Details
-
AboutThe new guy
-
SkillsC, C++, JAVA, Linux, embedded software, VHDL, ML, OpenCV
-
LocationConnecticut
Joined devRant on 7/20/2020
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
And then there was this big review...
DEVs:" this bug is hazardous and needs to be fixed quickly! It could crash a productive system completely!"
CTO and DEV teamlead:" shut up! This big exists more than two years! No customer will ever klick this button!"
--exactly twelve hours later--
Customer:"so we clicked on this button and our system crashed! Can you help us quickly? We are losing money!!!"
CTO in the meeting:"who programmed this shit? Are you insane?"
Teamlead:"you are useless !!"5 -
Who called it "enabling interrupts" and not "SMASH that button to get notified the next time this hardware goes live".
Courtesy: Twitter. -
"I want visibility in the sprint", "Information for everyone! When you do even a small refactoring, you should add a card to the sprint, clear?"
Those were the words of the product manager.
That sounds reasonable but when there is a bug to investigate, he just pops to the chat channel throw a request with a bit of information and asks to check/fix that.
So to keep my sanity, I asked him to create a ticket with relevant information and additional observations so we can have visibility as he was advocating for it ;)
It felt just good to see him going silent :D3 -
During the majority of my career, I've been the stereotypical pissed off guy with earphones in mashing away at his keyboard.
During lunch hours, I absolutely love listening to other pissed off devs. Their tales of buggy Microsoft products, oblivious project managers, dangerously unqualified directors, and severely disabled bosses are often the only thing that put a smile on my face in a workday, and here in Tokyo a workday is often your whole day. I don't feel there's anything wrong with it - the targets of their abuse often really are leeching tons of money while contributing little to nothing, so I feel like they deserve the abuse.
However, I don't like it when devs trash-talk other devs. I sympathize with those guys, even if they wrote bad code. I know writing good code is really, really hard, and I know that they were trying to do it under extremely difficult circumstances (in an office). If they're junior I sympathize even more because they're often better than I was when I had the same amount of experience.
So in conclusion, don't hate your fellow dev. Don't let hatred control you and poison your well-being. Direct your hatred where it belongs, at project managers.5 -
So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)
Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.
Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.
Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.
It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.
I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.
So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.
I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.
Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.
An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:
"please reenter card number to validate."
Bupkiss. Dead end.
OR SO YOU WOULD THINK.
One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:
"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"
One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:
With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.
So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.13 -
Looking for a job as a deveoper be like:
Job title: car driver
Job requirements: professional skills in driving normal- and heavy-freight cars, buses and trucks, trolley buses, trams, subways, tractors, shovel diggers, contemporary light and heavy tanks currently in use by NATO countries.
Skills in rally and extreme driving are obligatory!
Formula-1 driving experience is a plus.
Knowledge and experience in repairing of piston and rotor/Wankel engines, automatic and manual transmissions, ignition systems, board computer, ABS, ABD, GPS and car-audio systems by world-known manufacturers - obligatory!
Experience with car-painting and tinsmith tasks is a plus.
The applicants must have certificates by BMW, General Motors and Bosch, but not older than two years.
Compensation: $15-$20/hour, depends on the interview result.
Education requirements: Bachelor's Degree of Engineering.41 -
I put an Easter egg into a product, that if you enter the string "final countdown" into the stock code search field, it plays a YouTube vid of Europe's "The Final Countdown", in a hidden div. It's an in-joke for a few people in the company.
A well meaning maintainer with no sense of humour or judgement takes over and goes on the warpath against any hardcoded strings. The secret code gets moved into a config file.
A third developer changes the deployment script so that it clears any configs that aren't explicitly set in the deployment settings.
So the secret code is now "".
Literally every PC in the stock buying department is now blaring out "The Final Countdown" at top volume.
...Except none of them have speakers, so it remains this way for over a year and two more changes of maintainer.
I just noticed this afternoon and quietly re-hardcoded the string. The buying dept.'s PCs will silently sing no more.31 -
*Now that's what I call a Hacker*
MOTHER OF ALL AUTOMATIONS
This seems a long post. but you will definitely +1 the post after reading this.
xxx: OK, so, our build engineer has left for another company. The dude was literally living inside the terminal. You know, that type of a guy who loves Vim, creates diagrams in Dot and writes wiki-posts in Markdown... If something - anything - requires more than 90 seconds of his time, he writes a script to automate that.
xxx: So we're sitting here, looking through his, uhm, "legacy"
xxx: You're gonna love this
xxx: smack-my-bitch-up.sh - sends a text message "late at work" to his wife (apparently). Automatically picks reasons from an array of strings, randomly. Runs inside a cron-job. The job fires if there are active SSH-sessions on the server after 9pm with his login.
xxx: kumar-asshole.sh - scans the inbox for emails from "Kumar" (a DBA at our clients). Looks for keywords like "help", "trouble", "sorry" etc. If keywords are found - the script SSHes into the clients server and rolls back the staging database to the latest backup. Then sends a reply "no worries mate, be careful next time".
xxx: hangover.sh - another cron-job that is set to specific dates. Sends automated emails like "not feeling well/gonna work from home" etc. Adds a random "reason" from another predefined array of strings. Fires if there are no interactive sessions on the server at 8:45am.
xxx: (and the oscar goes to) fuckingcoffee.sh - this one waits exactly 17 seconds (!), then opens an SSH session to our coffee-machine (we had no frikin idea the coffee machine is on the network, runs linux and has SSHD up and running) and sends some weird gibberish to it. Looks binary. Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 (!) seconds before pouring it into a cup. The timing is exactly how long it takes to walk to the machine from the dudes desk.
xxx: holy sh*t I'm keeping those
Credit: http://bit.ly/1jcTuTT
The bash scripts weren't bogus, you can find his scripts on the this github URL:
https://github.com/narkoz/...56